From 6e94f44d25a0dafe57d5384aab46e51b1d366d54 Mon Sep 17 00:00:00 2001
From: Chloe Deguzman <chloe.deguzman@processmaker.com>
Date: Fri, 4 Mar 2016 21:00:13 +0000
Subject: [PATCH] HOR-285 Updated documentation regarding sort by filtering.

---
 workflow/engine/methods/cases/proxyProcessList.php | 10 ++++++++++
 workflow/engine/templates/processes/main.js        |  9 +++++++++
 2 files changed, 19 insertions(+)

diff --git a/workflow/engine/methods/cases/proxyProcessList.php b/workflow/engine/methods/cases/proxyProcessList.php
index 6d72d43e8..6e2c91f9f 100755
--- a/workflow/engine/methods/cases/proxyProcessList.php
+++ b/workflow/engine/methods/cases/proxyProcessList.php
@@ -44,6 +44,16 @@ try {
     if (isset( $start )) {
         $Criteria->setOffset( $start );
     }
+    
+
+    // The $sort field is arbitrary
+    // This can result in ORDER BY 
+    // SQL injection 
+    
+    // This ensures that ORDER BY will ONLY 
+    // use a known good sort field.
+    // There is a matching list on the javascript side at
+    // workflow/engine/templates/processes/main.js
 
     $allowedSortField = array( 
         "PRO_TITLE",
diff --git a/workflow/engine/templates/processes/main.js b/workflow/engine/templates/processes/main.js
index d537e19e6..f41e153a0 100755
--- a/workflow/engine/templates/processes/main.js
+++ b/workflow/engine/templates/processes/main.js
@@ -279,6 +279,15 @@ Ext.onReady(function(){
       },
       columns: [
         expander,
+        
+        // There is a list of allowed columns to sort: 
+        // workflow/engine/methods/cases/proxyProcessList.php
+        // This is to prevent ORDER BY injection attacks
+
+        // It is identical to this list.
+        // If you need to add a new column that is sortable, please
+        // make sure it is added there or sorting will not work.
+
         {id:'PRO_UID', dataIndex: 'PRO_UID', hidden:true, hideable:false},
         {header: "", dataIndex: 'PRO_STATUS', width: 50, hidden:true, hideable:false},
         {header: _('ID_PRO_DESCRIPTION'), dataIndex: 'PRO_DESCRIPTION',hidden:true, hideable:false},